Ingest GELF payloads into Seq
Branch: master
Clone or download
KodrAus Merge pull request #36 from KodrAus/fix/defensive-check
Check for capacity exceeded more defensively
Latest commit 379f637 Feb 6, 2019

sqelf Build status Seq.Input.Gelf datalust/sqelf

Ingest Graylog Extended Log Format (GELF) messages via UDP into Seq. The app is packaged both as a plug-in Seq App for all platforms, and as a standalone Docker container that forwards events to Seq via its HTTP API.

Getting started on Windows (requires Seq 5.1+)

On Windows, the GELF input is installed into Seq as a Seq App.

Seq GELF input

1. Install the app package

In Settings > Apps, choose Install from NuGet. The app package id is Seq.Input.Gelf.

2. Start an instance of the app

From the apps screen, choose Add Instance and give the new GELF input a name.

The default settings will cause the GELF input to listen on localhost port 12201. Choose a different port if required.

Select Save Changes to start the input.

3. Configure Windows Firewall

Ensure UDP port 12201 (or the selected port, if you specified a different one), is allowed through Windows Firewall.

4. Log some events!

That's all there is to it. Events ingested through the input will appear in the Events stream. If the input doesn't work, check for diagnostic events raised by the input app (there is some status information shown under the app instance name).

Events ingested by the input will be associated with the default None API key, which can be used to attach properties, apply filters, or set a minimum level for the ingested events.

Getting started with Docker (all versions)

For Docker, the app is deployed as a Docker container that is expected to run alongside the Seq container. The datalust/sqelf container accepts UDP GELF payloads on port 12201, and forwards them to the Seq ingestion endpoint specified in the SEQ_ADDRESS environment variable.

To run the container:

$ docker run \
    --rm \
    -it \
    -p 12201:12201/udp \
    -e SEQ_ADDRESS= \

The container is published on Docker Hub as datalust/sqelf.

Container configuration

A sqelf container can be configured using the following environment variables:

Variable Description Default
SEQ_ADDRESS The address of the Seq server to forward events to http://localhost:5341
SEQ_API_KEY The API key to use -
GELF_ADDRESS The address to bind the UDP GELF server to

Quick local setup with docker-compose

The following is an example docker-compose file that can be used to manage a local Seq container alongside sqelf in your development environment to collect log events from other containers:

version: '3'
    image: datalust/sqelf:latest
      - seq
      - "12201:12201/udp"
      SEQ_ADDRESS: "http://seq:5341"
    restart: unless-stopped
    image: datalust/seq:latest
      - "5341:80"
    restart: unless-stopped
      - ./seq-data:/data

The service can be started using docker-compose up:

$ docker-compose -p seq up -d

Collecting Docker container logs

The output from any Docker container can be collected by configuring its logging driver on startup:

$ docker run \
    --rm \
    -it \
    --log-driver gelf \
    --log-opt gelf-address=udp:// \

In this case the gelf-address option needs to resolve to the running sqelf container.